使用 Python smtplib 发送没有密钥文件(仅证书文件)的电子邮件

2022-01-17 00:00:00 python email smtp python-2.6

问题描述

尝试使用以下脚本发送带有证书文件的电子邮件:

Trying to send email with a certificate file using the following script:

import smtplib

client = smtplib.SMTP(myhost, myport)
client.ehlo()
client.starttls(certfile=mycertfile)
client.ehlo()

client.login(myusername, mypassword)
client.sendmail(sender, receiver, Message)
client.quit()

我收到以下错误:

SSLError: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib

我认为文档(smtplib.html 和ssl.html) 说我需要提供一个私钥.我只有证书文件(base64 PEM 格式).我的 devops 说在这种情况下不需要私钥,因为我不需要识别连接的本地端.

I think documentations (smtplib.html and ssl.html) say I need to provide a private key. I only have the certificate file (base64 PEM format). My devops says that a private key is not required in this case because I do not need to identify the local side of the connection.

有没有办法在不提供私钥的情况下发送电子邮件?如果需要私钥,为什么?

Is there a way to send the email without providing the private key? If a private key is required, why?


解决方案

有两种使用 SSL/TLS 的方法:客户端经过身份验证和客户端未经身份验证的基本".在客户端经过身份验证的连接中,服务器和客户端都向对方发送证书.在基本"中,只有服务器可以.

There are two ways to use SSL/TLS: client authenticated and "basic" where the client is unauthenticated. In client authenticated connections, the both the server and the client send a certificate to the other. In "basic" only the server does.

如果您既没有传递证书也没有传递密钥文件,smtplib 将使用基本连接,在此对客户端进行身份验证.

If you pass neither a certificate nor a keyfile, smtplib will use a basic connection, where the client is authenticated.

如果您使用证书,它将用于经过客户端身份验证的连接.在这种情况下,服务器将要求客户端通过签署握手消息来表明它拥有证书.为了让客户端能够做到这一点,它还需要私钥,它可以在证书文件中,也可以作为单独的密钥文件.

If you use a certificate, it will be used for a client authenticated connection. In that case, the server will demand that the client shows it owns the certificate by signing a handshake message. For the client to be able to do that it also needs the private key, which can be either in the certificate file or as a separate keyfile.

长话短说,如果要使用客户端证书,还必须使用密钥.如果没有,您可以将两者都留空.

Long story short, if you want to use a client certificate, you must also use a key. If not, you can just leave both empty.

OTOH,也许您有要用于连接的服务器证书文件或 CA 列表?

OTOH, maybe you have a server certificate file or CA list you want to use with the connection?

在这种情况下,您需要将其传递给 ca_certs 参数中的 ssl.wrap_socket.由于您使用 Python 2.6,因此使用 smtplib 并没有简单的方法来做到这一点(Python 3.3+ 对 context 参数.org/3.4/library/smtplib.html#smtplib.SMTP.starttls" rel="nofollow">starttls).

In that case you need to pass it to ssl.wrap_socket in the ca_certs parameter. Since you use Python 2.6 there's no easy way to do that with smtplib (Python 3.3+ has a context argument to starttls).

如何解决这个问题取决于您的应用程序.例如,如果您不需要 ssl 来做其他任何事情,一个骇人听闻的解决方案是将 ssl.wrap_socket 与提供您的 ca_cert(可能还有 cert_reqs=CERT_REQUIRED).

How to solve this depends on your application. For example, if you do not need ssl for anything else, a hackish solution would be to monkey-patch ssl.wrap_socket with one that provides your ca_cert (as well as cert_reqs=CERT_REQUIRED, likely).

更完整的解决方案是使用您自己的允许传入这些参数的变体扩展 smtplib.SMTP.

A more full blown solution would be to extend smtplib.SMTP with your own variant that does allow passing in those parameters.

相关文章